PCI-DSS Expired Password Users
This specification adds the ability to query for a list of users who's password has expired and are currently "locked-out" due to needing an administrator to reset their password before they can authenticate. Change-Id: Ic41a35a22413f85a0511e16644a0b664cd596911 Co-Authored-By: Tin Lam <tinlam@gmail.com>
This commit is contained in:
parent
66418f5c03
commit
f5bdfa3273
198
specs/keystone/ocata/pci-dss-expired-password.rst
Normal file
198
specs/keystone/ocata/pci-dss-expired-password.rst
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
====================================
|
||||||
|
PCI-DSS Query Password Expired Users
|
||||||
|
====================================
|
||||||
|
|
||||||
|
Blueprint `pci-dss-query-password-expired-users <https://blueprints.launchpad.net/keystone/+spec/pci-dss-query-password-expired-users>`_
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
Currently, when using the:
|
||||||
|
``keystone.conf [security_compliance] password_expires_days``
|
||||||
|
value, when a user's password expires and then must be reset by an
|
||||||
|
administrator, there is no way to query a list of users who are in
|
||||||
|
this state of password expiration. We would like the ability to retrieve
|
||||||
|
a list of users whose passwords has expired for technical support and
|
||||||
|
auditing purposes.
|
||||||
|
|
||||||
|
Proposed Change
|
||||||
|
===============
|
||||||
|
|
||||||
|
A new query will be added to the existing:
|
||||||
|
``GET /v3/users``
|
||||||
|
API call that would allow an administrator to query a list of users who are
|
||||||
|
currently locked-out due to password expiration. This will allow operators to
|
||||||
|
set up jobs to generate necessary audit lists and notifications.
|
||||||
|
|
||||||
|
**Query list of users based on their passwords' expiry time**
|
||||||
|
|
||||||
|
Gets a list of users based on their password expiry time.
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
GET /v3/users?password_expires_at={operator}:{timestamp}
|
||||||
|
|
||||||
|
Where ``{timestamp}`` is a datetime in the format of ``YYYY-MM-DDTHH:mm:ssZ``
|
||||||
|
and ``{operator}`` can be either ``lt`` or ``gt``. Note that
|
||||||
|
user can also do equality matching via
|
||||||
|
``/v3/users?password_expires_at={timestamp}``; however,
|
||||||
|
due to the nature of this query, it may not be as useful.
|
||||||
|
|
||||||
|
http://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering
|
||||||
|
|
||||||
|
Examples
|
||||||
|
========
|
||||||
|
|
||||||
|
**Query list of users whose password has expired before a given timestamp.**
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
GET /v3/users?password_expires_at=lt:2016-10-10T15:30:22Z
|
||||||
|
|
||||||
|
**Response**
|
||||||
|
|
||||||
|
.. code-block:: json
|
||||||
|
|
||||||
|
{
|
||||||
|
"links": {
|
||||||
|
"next": null,
|
||||||
|
"previous": null,
|
||||||
|
"self": "http://example.com/identity/v3/users"
|
||||||
|
},
|
||||||
|
"users": [
|
||||||
|
{
|
||||||
|
"domain_id": "default",
|
||||||
|
"enabled": false,
|
||||||
|
"id": "514a66612f53412796952414898a6b99",
|
||||||
|
"name": "someuser1",
|
||||||
|
"links": {
|
||||||
|
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
|
||||||
|
},
|
||||||
|
"password_expires_at": "2016-07-07T15:32:17.000000"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"domain_id": "default",
|
||||||
|
"enabled": true,
|
||||||
|
"id": "ce8a21d43bc64ce6840346f0a14a7fa9",
|
||||||
|
"name": "someuser4",
|
||||||
|
"links": {
|
||||||
|
"self": "http://example.com/identity/v3/users/ce8a21d43bc64ce6840346f0a14a7fa9"
|
||||||
|
},
|
||||||
|
"password_expires_at": "2016-10-09T00:21:04.000000"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
**Query list of users whose password will expire after a given timestamp**
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
GET /v3/users?password_expires_at=gt:2016-10-14T15:30:22Z
|
||||||
|
|
||||||
|
**Response**
|
||||||
|
|
||||||
|
.. code-block:: json
|
||||||
|
|
||||||
|
{
|
||||||
|
"links": {
|
||||||
|
"next": null,
|
||||||
|
"previous": null,
|
||||||
|
"self": "http://example.com/identity/v3/users"
|
||||||
|
},
|
||||||
|
"users": [
|
||||||
|
{
|
||||||
|
"domain_id": "default",
|
||||||
|
"enabled": false,
|
||||||
|
"id": "514a66612f53412796952414898a6b99",
|
||||||
|
"name": "someuser1",
|
||||||
|
"links": {
|
||||||
|
"self": "http://example.com/identity/v3/users/514a66612f53412796952414898a6b99"
|
||||||
|
},
|
||||||
|
"password_expires_at": "2016-10-17T15:32:17.000000"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
Operators can directly query the SQL backend for users whose password has
|
||||||
|
expired by checking the ``password_expires_at`` field.
|
||||||
|
|
||||||
|
Security Impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
None. The added API change has no additional security impact.
|
||||||
|
|
||||||
|
Notifications Impact
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
No additional notification will be added for this query.
|
||||||
|
|
||||||
|
Other End User Impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
None. There will be no additional end user impact.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
This call may fail if there is a very large number of users since pagination
|
||||||
|
is currently not supported.
|
||||||
|
|
||||||
|
Other Deployer Impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
None. The added API change has no additional deployer impact.
|
||||||
|
|
||||||
|
Developer Impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
None. The added API change has no additional developer impact.
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
gagehugo <gagehugo@gmail.com>
|
||||||
|
|
||||||
|
Other contributors:
|
||||||
|
lamt <tinlam@gmail.com>
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
* Implement new user query.
|
||||||
|
* Implement bindings in ``python-keystoneclient``.
|
||||||
|
* Implement unit tests.
|
||||||
|
* Document new user query usage.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
This blueprint depends on the following:
|
||||||
|
|
||||||
|
* `PCI-DSS blueprint <https://blueprints.launchpad.net/keystone/+spec/pci-dss>`_
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
Documentation in `api-ref` will be updated to include the added query
|
||||||
|
parameter and its usage.
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
* `Midcycle Etherpad <https://etherpad.openstack.org/p/keystone-newton-midcycle>`_
|
Loading…
Reference in New Issue
Block a user